Managing sensitive data at the University of Bristol

Kellie SnowResearch Data Librarian, Research Data ServiceJisc Research Data Network Workshop, 18th May 2016

Background

• Research Data Repository (data.bris) went live in July 2014

• For open data only• Immediately apparent some

researchers would require restricted access

• Studies wanting to share, but not knowing how – informal processes

2

Initial thoughts• What would any restricted access level(s) be?• How should they be applied?• Would this fit with the ethical policies and

workflows of the University?• How would we objectively decide who to

grant access to?• What would be the processes that needed to

be in place?• What would be the technical challenges?• Did we have the capacity as a service to

administer this?

3

First steps• Issue raised by Research Governance• Number of meetings and discussions

over several months• November 2014 – report put forward

by RDS and Governance to University Ethics Research Committee:• Suggested data access levels• Request to establish Task & Finish

Group

4

Image: Sharyn Morrow

Data Access Task & Finish Group • Established to investigate the feasibility of a Data Access Committee (DAC),

as recommended by the EAGDA report• Representation from IT security, Governance, Secretary’s Office (DPA/FoI),

senior academics• Met three times – matters addressed:

• Scope of a DAC• Data Access Agreements (drawn up by external lawyers)• Processes for controlled datasets

• Many of proposed procedures based on EAGDA recommendations and UKDA

5

Data Access T&F Group recommendations

• October 2015 – produced set of recommendations:• Access levels embedded in ethics application process• Processes for handling restricted and controlled datasets piloted• Permanent DAC is formed• Further consideration around retention of copies of requested data• Consideration of data access levels at contracts stage (commercial

research)

• Passing through University committees – DAC soon to be approved

6

Established processes

7

Data Access Levels

8

Open

Restricted

Controlled

Closed

Online and available to anyone without restriction. No sensitivities.

Available to bona fide researchers. Repository staff will check credentials.

Only available after panel of senior staff (DAC) have assessed request. Highly sensitive or older studies where appropriate permissions have not been sought.

Data not available for sharing (except regulators) because of ethical, IPR, prior exclusive agreements or other constraints (requests handled by Information Rights Officer).

At the start of a project…

• Researcher identifies likely access level(s) that will be used

• Outlined in DMP • Allocated as part of ethics

application• Included in contracts with

external partners (where necessary)

9

At the data deposit stage…

• Researcher assigns access level in metadata record (verified by RDS)

• DOI landing page/repository record directs third party to RDS to request access form

• Dataset itself is stored either within Research Data Storage Facility or with research group

10

When a request is received…

11

Restricted Controlled

Unforeseen challenges

• Procedure for checking if applicants ‘bona fide’

• Procedure for retaining Data Access Agreements

• Storage location of datasets• Supplying large datasets• Researchers with controversial papers

12

Advice for other institutions

• Never underestimate time involved getting agreement across the institution

• You’re unlikely to have covered every eventuality – be prepared to be reactive

• Process will allow you to build better relationships with other University services

• Your researchers will be grateful!

13

Future plans• Software system to deal with requests process (audit trail)• Online request form• Data Access Agreement repurposed by existing studies• Further procedures around commercial data (contract

issues, IP)• Further knowledge and procedures around clinical data

(esp. NHS) – where do sharing responsibilities lie?

14

Thank you for listening!

data-bris@bristol.ac.uk

@databris

15